The problem can be corrected by upgrading the affected package toversion 5.51-2ubuntu0.2 (for Ubuntu 4.10), or 5.51-2ubuntu1.2 (forUbuntu 5.04). In general, a standard system upgrade is sufficient toeffect the necessary changes.

Details follow:

Imran Ghory found a race condition in the handling of output files.While a file was unpacked by unzip, a local attacker with writepermissions to the target directory could exploit this to change thepermissions of arbitrary files of the unzip user.